nixos-config/hosts/procul.nix

{ config, pkgs, lib, ... }:

with lib;
let
  hostname = "procul";
  domain = "informis.land";
  mail-hostname = hostname;
  host_ipv4 = "172.86.179.18";
  host-fqdn = "${hostname}.${domain}";
  all-hostnames = [];

  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
  acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
  acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";

  fudo-ca = "/etc/nixos/static/fudo_ca.pem";

in {

  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/sdb";
  };

  imports = [
    ../hardware-configuration.nix

    ../defaults.nix

    ../informis/users.nix
  ];

  environment.systemPackages = with pkgs; [
    multipath-tools
  ];

  networking = {
    hostName = hostname;

    # provided by secure-dns-proxy
    nameservers = [ "127.0.0.1" ];

    dhcpcd.enable = false;
    useDHCP = false;

    # TODO: fix IPv6
    enableIPv6 = true;

    # Create a bridge for VMs to use
    macvlans = {
      extif0 = {
        interface = "enp0s25";
        mode = "bridge";
      };
    };

    interfaces = {
      extif0 = {
        # result of:
        # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:e2:b7:db:e8:af";
        ipv4.addresses = [
          {
            address = host_ipv4;
            prefixLength = 29;
          }
        ];
      };
    };
  };

  hardware.bluetooth.enable = false;

  users = {
    users = {
      gituser = {
        isSystemUser = true;
        group = "nogroup";
      };
    };
  };

  fudo = {

    common = {
      # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
      profile = "server";

      # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
      site = "joes";

      domain = domain;

      admin-email = "admin@${domain}";

      local-networks = [
        "172.86.179.16/29"
        "208.81.1.128/28"
        "208.81.3.112/28"
        "172.17.0.0/16"
        "127.0.0.0/8"
      ];
    };

    # Not all users need access to procul; don't allow LDAP-user access.
    authentication.enable = false;

    auth.kdc = {
      enable = true;
      database-path = "/var/heimdal/heimdal";
      realm = "INFORMIS.LAND";
      mkey-file = "/srv/heimdal/secure/m-key";
      acl-file = "/etc/heimdal/kdc.acl";
      bind-addresses = [
        host_ipv4
        "127.0.0.1"
        "127.0.1.1"
      ];
    };

    secure-dns-proxy = {
      enable = true;
      upstream-dns = [ "https://cloudflare-dns.com/dns-query" ];
      bootstrap-dns = "1.1.1.1";
      listen-ips = [ "127.0.0.1" ];
      port = 53;
    };

    dns = {
      enable = true;

      dns-hosts = {
        "ns1.informis.land" = "172.86.179.18";
        "ns2.informis.land" = "172.86.179.18";
      };

      listen-ips = [host_ipv4];

      domains = {
        "informis.land" = import ../informis/informis.land.nix {
          inherit host_ipv4 config;
        };
      };
    };

    mail-server = {
      enable = true;
      debug = true;

      domain = domain;
      hostname = "${host-fqdn}";
      monitoring = false;
      mail-user = "mailuser";
      mail-user-id = 525;
      mail-group = "mailgroup";
      clamav.enable = true;
      dkim.signing = true;

      dovecot = {
        ssl-certificate = acme-certificate "imap.${domain}";
        ssl-private-key = acme-private-key "imap.${domain}";
      };

      postfix = {
        ssl-certificate = acme-certificate "smtp.${domain}";
        ssl-private-key = acme-private-key "smtp.${domain}";
      };

      # This should NOT include the primary domain
      local-domains = [
        host-fqdn
        "smtp.${domain}"
      ];

      mail-directory = "/srv/mailserver/mail";
      state-directory = "/srv/mailserver/state";

      trusted-networks = [
        "172.86.179.16/29"
        "127.0.0.0/16"
      ];

      alias-users = {
        root         = ["niten"];
        postmaster   = ["niten"];
        hostmaster   = ["niten"];
        webmaster    = ["niten"];
        system       = ["niten"];
        admin        = ["niten"];
        dmarc-report = ["niten"];
      };
    };

    postgresql = {
      enable = true;
      ssl-certificate = (acme-certificate host-fqdn);
      ssl-private-key = (acme-private-key host-fqdn);
      keytab = "/srv/postgres/secure/postgres.keytab";

      local-networks = [
        "172.86.179.16/29"
        "127.0.0.0/16"
      ];

      users = {
        gituser = {
          password = fileContents "/srv/git/secure/db.passwd";
          databases = {
            git = "ALL PRIVILEGES";
          };
        };
      };

      databases = {
        git = ["niten"];
      };
    };

    git = {
      enable = true;
      hostname = "git.informis.land";
      site-name = "informis git";
      user = "gituser";
      repository-dir = /srv/git/repo;
      state-dir = /srv/git/state;
      database = {
        user = "gituser";
        password-file = /srv/git/secure/db.passwd;
        hostname = "127.0.0.1";
        name = "git";
      };
    };

    acme = {
      enable = true;

      admin-address = "admin@${domain}";

      hostnames = [
        "imap.informis.land"
        "smtp.informis.land"
      ];
    };
  };

  security.acme.certs.${host-fqdn}.email = "admin@${domain}";

  services.nginx = {
    enable = true;

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    virtualHosts = {
      "${host-fqdn}" = {
        enableACME = true;
        forceSSL = true;
      };
    };
  };
}